---
title: The ZITADEL Quick Start Guide
sidebar_label: Quick Start Guide
---

import { ResponsivePlayer } from "../../../src/components/player";

In this quick start guide, we will be learning some fundamentals on how to set up ZITADEL for user management and application security. Thereafter, we will secure a React-based Single Page Application (SPA) using ZITADEL.

<ResponsivePlayer controls url='https://www.youtube.com/watch?v=5THbQljoPKg' />

The sample application allows users to securely log in to ZITADEL using the OIDC Proof Key for Code Exchange (PKCE) flow. This flow ensures that the authentication process is secure by using a code verifier and a code challenge, which are sent to ZITADEL to obtain an access token. The access token is then used by the app to access the userinfo endpoint to retrieve and display information about the logged-in user. The app also has a logout feature that allows users to end their session and clear their access token. Overall, the app provides a simple and secure way for users to authenticate and access protected resources within ZITADEL.

## ZITADEL terminology: instances, organizations, projects, users, roles, authorizations and apps

In ZITADEL, instances, organizations, projects, users, roles, and apps are the main components that make up the platform.

The order of creation for the above components would typically be as follows:

<ul>
  <li>
    <b>Instance</b>: An instance is a top-level entity in ZITADEL that
    represents a deployment of ZITADEL for a registered account. An instance can
    have one or more organizations.
  </li>
  <li>
    <b>Organization</b>: An organization is a logical separation within an
    instance that represents a company/organization and can have one or more
    projects. The default organization is the one that is provided at the start
    of the account registration process. Typically, an instance would have one
    organization, but in B2B scenarios, an instance would have more than one.
  </li>
  <li>
    <b>Project</b>: A project is a logical separation within an organization and
    is a container for apps, roles and authorization policies for the resources
    it contains.
  </li>
  <li>
    <b>Users</b>: Users are created at the organizational level and are granted
    access to the resources within projects. They can be assigned different
    roles, which define the permissions and privileges they have within the
    project.
  </li>
  <li>
    <b>Roles</b>: Roles are the sets of permissions and privileges that are
    assigned to users within a project.
  </li>
  <li>
    <b>Authorizations</b>: Authorization policies in ZITADEL are defined at the
    project level, which means that they apply to all the resources within the
    project. These policies are based on the roles that are assigned to users,
    and they determine the actions that users are allowed to perform within the
    project.
  </li>
  <li>
    <b>Apps</b>: Apps are the applications that are developed and managed within
    a project. They can be client apps that use the resources within the
    project, or they can be backend apps that provide the resources for other
    apps to use. The apps can use the OIDC or SAML protocol to authenticate
    users to access protected resources.
  </li>
</ul>

The order of creation for the above components may vary depending on the specific needs and requirements of the organization.

## Set up and manage ZITADEL for your identity projects

### 1. Sign up for the ZITADEL Cloud customer portal and register your organization

1. Go to [zitadel.com](http://zitadel.com) and click “Start for FREE”.

![Home Page](/img/guides/quickstart/v3_1.png)

2. You can sign up by entering your email address or via social login, e.g., Google. Let's sign up using an email address. Enter your email address and click "Sign in with Email".

![Registration Page](/img/guides/quickstart/v3_2.png)

3. Next, complete your details and click "Continue".

![Congratulations Page](/img/guides/quickstart/v3_3.png)

4. Add a password as shown below. Adhere to the password requirements, agree to the terms of service and privacy policy by selecting the checkbox, and click the "Get started" button.

![Code](/img/guides/quickstart/v3_4.png)

5. Enter your login data. Provide the password you just created. Click "next".

![Inbox](/img/guides/quickstart/v3_5.png)

6. You will now have to verify your email address.

![Verify Email](/img/guides/quickstart/v3_17.png)

6. Go to your inbox and open the email from ZITADEL and click the "Verify email" button.

![Code](/img/guides/quickstart/v3_6.png)

7. The user is now activated. Click the "login" button.

![User Activated](/img/guides/quickstart/v3_7.png)

8. Now you will have to log in with the username and password that you provided. Click “Sign in with Email”, then provide a name for your team or organization and continue.

![Login](/img/guides/quickstart/v3_8.png)

### 2. Complete onboarding questions

To begin, we'll ask you a few questions.
These will help us understand your needs and personalize your ZITADEL experience, ensuring you get the most out of it.

![Onboarding Questions](/img/guides/quickstart/onboarding_questions.png)

### 3. Create your first instance

As a user of the ZITADEL Cloud Customer Portal, you now can create multiple instances to suit your specific needs.
This includes instances for development, production, or user acceptance testing, as well as instances for different clients or applications.
The possibilities are endless. You can create your first instance for free.

1. Create an instance.
by clicking on “Create Instance”.

![Create Instance](/img/guides/quickstart/create_instance.png)

2. Provide a name for your instance and click on the “Continue” button at the bottom of this screen.

![Create Instance Name](/img/guides/quickstart/create_instance_name.png)

3. Next, you should see the following screen. Add a username and password for the instance administrator and click "Create".

![Create Instance Admin](/img/guides/quickstart/create_instance_admin.png)

3. After creating your first instance, you're ready to configure user authentication. To access the management console, click the 'Sign in to your instance' button.

![Sign In Instance](/img/guides/quickstart/sign_in_instance.png)

6. To log in to your instance, provide the username and password you set in the instance creation, and click “next”.

7. Skip the 2-factor authentication for now by clicking “skip”.

8. And there you go! You now have access to your instance.

![Instance Details](/img/guides/quickstart/instance_dashboard.png)

### 4. Create your first project and app

Because applications are always associated with a project, we'll guide you through setting up both in the following steps.

1. Click the "Create Application" button or the Framework/Language of your choice on the right side

2. Insert “Project1” (or any name of your choice) as the project’s name and select the framework/language of your choice in our case "React" and click the “Continue” button. (If you can't find your framework/languages select "Other")

![Project Name and Framework/Language](/img/guides/quickstart/create_project_react.png)

3. An overview of the configuration for the framework you have selected is shown

![Project Configuration Overview - React App](/img/guides/quickstart/project_config_overview_react.png)

What the configuration does:
- We recommend using the [Authentication Code Flow](/docs/apis/openidoauth/grant-types#authorization-code) with [Proof Key for Code Exchange (PKCE)](/docs/apis/openidoauth/grant-types#authorization-code) for secure OIDC configuration. This setup includes specific App, Grant, and Response Types, as well as an Authentication Method. More about the different app types can be found [here](/docs/guides/integrate/login/oidc/oauth-recommended-flows#different-client-profiles).
- The redirect URI is where the ZITADEL authorization server redirects the user after they have been authenticated. The "Redirect URI" is preconfigured to [http://localhost:3000/callback](http://localhost:3000/callback) and the “Post Logout URI” to [http://localhost:3000/](http://localhost:3000/) for the React example

4. The detailed configuration of your app will be shown

![Project Name and Framework/Language](/img/guides/quickstart/app_detail_overview_react.png)

### 5. Add users (optional)

[Skip optional steps](quickstart/#7-create-an-application-in-your-project) and jump directly to the obtain ClientId and OIDC endpoints.

1. To add users, click on “Users” at the top menu. You will see that the user you already created is listed as a user here. Click on the “New” button to create a new user.

![Add User](/img/guides/quickstart/26.png)

2. Let’s add another user as shown below. Fill in the user details as shown below and click on the “Create” button when you are done.

![Add User](/img/guides/quickstart/27.png)

3. The newly created user details will be displayed as shown below.

![User Info](/img/guides/quickstart/28.png)

4. Once you navigate back to the "Users" view, you will see a list of all the users that have been added to your instance. If you need to add more users, you can do so.

![User Info](/img/guides/quickstart/29.png)

### 6. Add roles to your project (optional)

1. To add roles to your project, click on “Roles” on the left as shown below. Next, click on the “New” button.

![Add Roles](/img/guides/quickstart/22.png)

2. Let’s create the role “manager” as shown below. Add “Manager” and “Group1” as display name and group respectively.

![Add Role](/img/guides/quickstart/23.png)

3. You can also add other roles in this step by clicking on “Add additional role”. Let’s go ahead and add two more as shown below. Click “Save” when you are done.

![Add Role](/img/guides/quickstart/24.png)

4. Now you can view a list of all the roles you just created.

![Add Role](/img/guides/quickstart/25.png)

### 7. Add authorizations to your project (optional)

1. Click on “Authorizations” on the top menu.

![Add Authorization](/img/guides/quickstart/30.png)

2. Select users for the authorization. You can select 1 or more users for a single authorization grant. Let’s select all the users for this grant.

![Add Authorization](/img/guides/quickstart/31.png)

3. Next, select a project. Since we created only “Project1” so far, you will see just that. Go ahead and select it.

![Add Authorization](/img/guides/quickstart/32.png)

4. Let’s select the role “sales”. Click on “Save”.

![Add Authorization](/img/guides/quickstart/33.png)

5. Now you will see the users with their designated roles.

![Add Authorization](/img/guides/quickstart/34.png)

6. To assign additional roles to a user, you can click on the user's name and select the desired roles from the list. This will grant the user additional permissions within the project. Click on “Change”.

![Add Authorization](/img/guides/quickstart/35.png)

7. You can see that additional roles have been assigned to the users in this updated authorization list and this should now give you an indication of how authorizations work in ZITADEL.

![Add Authorization](/img/guides/quickstart/37.png)

### 8. Obtain ClientId and OIDC endpoints for your application {#referred1}

You will need the ClientId and the OIDC endpoints (issuer and userinfo) when building your React application. The issuer URL is the base URL for the OIDC provider and includes the path to the OIDC discovery document, which contains information about the OIDC provider, including the authorization and token endpoints. By providing the issuer URL, you can use the OIDC library to automatically determine the endpoints for these requests.

The authorization endpoint is used to initiate the authorization process, the token endpoint is used to exchange authorization codes for access tokens, and the userinfo endpoint is used to retrieve information about the user. You need an access token to access the userinfo endpoint and other protected resources.

1. Click on “Configurations” to access the Client ID as shown below:

![Get URLs](/img/guides/quickstart/51.png)

2. The issuer URL and userinfo endpoint can be accessed by clicking on “URLs” on the left. Make note of the corresponding values for “issuer” and “userinfo_endpoint”.

![Get URLs](/img/guides/quickstart/52.png)

And with that, configuring ZITADEL for our application is complete. Now we can move on to building our React application. Let's get coding!

## Create your React application with ZITADEL OIDC PKCE authentication

### 1. Functional requirements of the application

1. The user navigates to the React app (client) and clicks the "login" button.
2. The app initiates the authorization process by redirecting the user’s browser to the authorization endpoint of the ZITADEL instance, along with the PKCE parameters (code challenge, and code challenge method).
3. The user will see the ZITADEL login page, where the user can enter their credentials.
4. After successful authentication, ZITADEL generates an authorization code and redirects the user back to the React app.
5. The React app sends a request to the ZITADEL token endpoint, along with the authorization code and code verifier.
6. ZITADEL verifies the code verifier to ensure that the authorization request is coming from the same client that initiated it. If it is valid, ZITADEL returns an access token to the React app.
7. The React app uses the access token to make a request to the userinfo endpoint, which is protected by the OIDC protocol.
8. The userinfo endpoint returns information about the logged-in user, such as their name and email address.
9. The React app displays this information to the user.
10. When the user wants to log out, the React app sends a request to the ZITADEL logout endpoint, which clears the access token and ends the user's session.
11. The user will be redirected to the login page of the app.

**_The scope of this application for this quick start guide is limited to user authentication and doesn't include role-based authentication, even though we previously discussed adding roles and users._**

### 2. Prerequisites

To follow along with this tutorial, you will need to have both Node.js and Visual Studio Code (VSCode) installed on your machine.

To install React, you will need to have Node.js installed on your system. You can download and install Node.js from [here](https://nodejs.org/).

To install Visual Studio Code, go to their [website](https://code.visualstudio.com/) and download and install the version for your operating system.

### 3. Development

#### 1. Create project

1. Open a new terminal window in Visual Studio Code.
2. Navigate to the folder where you want to create the React app.
3. Run the following command to create a new React app named "react-oidc-zitadel":

   `yarn create react-app react-oidc-zitadel --template typescript`

4. Navigate to the "react-oidc-zitadel" folder:

   `cd react-oidc-zitadel`

5. The dependencies for this project include @zitadel/react and react-router-dom. To include them in your React application, you will need to run the following command in your terminal:

   `yarn add @zitadel/react react-router-dom`

#### 2. Add source files

The code needed to run this project can be found [here](https://github.com/zitadel/zitadel-react).

1. Replace the content in your App.js file with the one provided below:

[src/App.tsx](https://github.com/zitadel/zitadel-react/blob/main/src/App.tsx):

```
  const config: ZitadelConfig = {
    authority: "[YOUR-INSTANCE-URL]",
    client_id: "[YOUR-CLIENT-ID]",
    redirect_uri: "[YOUR-REDIRECT-URI]",
    post_logout_redirect_uri: "[YOUR-POST-LOGOUT-REDIRECT-URI]",
  };

  const zitadel = createZitadelAuth(config);
  ...
```

The App.tsx file is the root component of the React app that initializes the OIDC flow and manages the user's session. It does this by:

- Importing the necessary libraries and components from the dependencies, including the `@zitadel/react` library and the Login and Callback components.
- Initializing a new `zitadel` instance with the OIDC configuration values. The `zitadel` instance manages the OIDC flow and stores the user's session information.
- Defining two functions: `authorize` and `signout`. The `authorize` function initiates the OIDC flow when the user clicks the `login` button, while the `signout` function ends the user's session when the user clicks the `logout` button.
- Defining state variable: `authenticated`. The authenticated variable is a boolean that indicates whether the user is authenticated or not.
- Using the `useEffect` hook to retrieve the user's session information from the `UserManager` instance and updating the `authenticated` state variable accordingly.
- Defining the routes for the app using the `react-router-dom` library, including the `/` and `/callback` routes for the login and callback pages, respectively. The `Login` and `Callback` components handle the login and callback processes, respectively.

The provided config extends the `UserManagerSettings` of the `oidc-client-ts` library. Take a look at some of the available configuration options:

- authority (the URL of your instance ending with /).
- client\*id (the unique identifier for the client application).
- redirect_uri (the URL to redirect to after the authorization flow is complete)
- post_logout_redirect_uri (the URL to redirect to after the user logs out)
- scope (the permissions requested from the user)
- project_resource_id (To add a ZITADEL project scope. `urn:zitadel:iam:org:project:id:[projectId]:aud` and `urn:zitadel:iam:org:projects:roles` [scopes](/docs/apis/openidoauth/scopes#reserved-scopes).)
- prompt ([the OIDC prompt parameter](/apis/openidoauth/endpoints#additional-parameters))

2. Create a folder named components in the src directory. Create two files named Login.js and Callback.js.

3. Paste the following code to Login.tsx.

```ts reference
https://github.com/zitadel/zitadel-react/blob/main/src/components/Login.tsx
```

The `/` route corresponds to the login page, which is rendered by the Login component. The Login(Login.tsx) component is a functional component that displays the login button and calls the `handleLogin` function (which corresponds to the `authorize` function defined in the App component) when the button is clicked. This initiates the OIDC flow by redirecting the user to the authorization endpoint.

4. Paste the following code to Callback.js.

```ts reference
https://github.com/zitadel/zitadel-react/blob/main/src/components/Callback.tsx
```

The `/callback` route corresponds to the callback page, which is rendered by the Callback (Callback.tsx) component.
The Callback component is also a functional component that handles the callback from the authorization server after the user logs in.
It retrieves the authorization code from the URL, exchanges it for an access token and id token, and retrieves the user's information from the userinfo endpoint.
It also sets the `authenticated` state variable in the App (App.tsx) component and displays the `logout` button.
When the `logout` button is clicked, the `clearAuth` function is called and the user's session is ended. The `clearAuth` function is defined in the App component and is called with no arguments. It initiates the end session flow by redirecting the user to the end session endpoint.

Note that the @zitadel/react library automatically handles the generation of the code verifier and code challenge when the user clicks on the login button, eliminating the need for the application to manually generate and include these values in the requests.

In the PKCE flow, the code verifier is a random string generated by the client application, and the code challenge is a transformed version of the code verifier using the SHA-256 hashing algorithm.

5. Now you can think about styling your application. Edit the `index.css` and `App.css` to apply CSS styling to the pages.

### 3. Running the application

1. Run `yarn start` to start the development server.
2. Open your browser and navigate to `http://localhost:3000/` to view the app.
3. You will see the login page, which is the landing page of the app, when you run the application. Click on the “Please log in” button.

![Login](/img/guides/quickstart/login1.png)

4. You will be redirected to the ZITADEL login page. Add your username/email and click on “next”.

![Redirect](/img/guides/quickstart/login2.png)

5. Enter your password and click on “next”.

![Redirect](/img/guides/quickstart/login3.png)

6. If you entered the correct login credentials (and if the PKCE parameters generated by the application match), you will be redirected to the callback page, which displays your user information.

![Redirect](/img/guides/quickstart/login4.png)

7. You can click on “Log out” to log out of the application and you will be taken to the landing page.

![Redirect](/img/guides/quickstart/login1.png)

And this brings us to the end of this quick start guide!

This tutorial covered how to configure ZITADEL and how to use React to build an app that communicates with ZITADEL to access secured resources.

We hope you enjoyed the tutorial and encourage you to check out the ZITADEL [documentation](/docs) for more information on how to use the ZITADEL platform to its full potential. Thanks for joining us!
